Fortinet black logo

FortiGate-7000 Release Notes

Default FortiGate-6000 and 7000 configuration for traffic that cannot be load balanced

Default FortiGate-6000 and 7000 configuration for traffic that cannot be load balanced

The default configure load-balance flow-rule command contains the recommended default flow rules that control how the FortiGate-6000 or 7000 handles traffic types that cannot be load balanced. Most of the flow rules in the default configuration are enabled and are intended to send common traffic types that cannot be load balanced to the primary FPC or FPM. FortiGate-6000F, 7000E, and 7000F for FortiOS 6.2.6 have the same default flow rules.

All of the default flow rules identify the traffic type using the options available in the command and direct matching traffic to the primary (or master) FPC or FPM (action set to forward and forward-slot set to master). The default flow rules also include a comment that identifies the traffic type.

The default configuration also includes disabled flow rules for Kerberos and PPTP traffic. Normally, you would only need to enable these flow rules if you know that your FortiGate will be handling these types of traffic.

The CLI syntax below was created with the show full configuration command.

config load-balance flow-rule
    edit 1
        set ether-type ip
        set protocol udp
        set src-l4port 88-88
        set comment "kerberos src"
    next
    edit 2
        set ether-type ip
        set protocol udp
        set dst-l4port 88-88
        set comment "kerberos dst"
    next
    edit 3
        set status enable
        set ether-type ip
        set protocol tcp
        set src-l4port 179-179
        set comment "bgp src"
    next
    edit 4
        set status enable
        set ether-type ip
        set protocol tcp
        set dst-l4port 179-179
        set comment "bgp dst"
    next
    edit 5
        set status enable
        set ether-type ip
        set protocol udp
        set src-l4port 520-520
        set dst-l4port 520-520
        set comment "rip"
    next
    edit 6
        set status enable
        set ether-type ipv6
        set protocol udp
        set src-l4port 521-521
        set dst-l4port 521-521
        set comment "ripng"
    next
    edit 7
        set status enable
        set ether-type ipv4
        set protocol udp
        set src-l4port 67-67
        set dst-l4port 68-68
        set comment "dhcpv4 server to client"
    next
    edit 8
        set status enable
        set ether-type ipv4
        set protocol udp
        set src-l4port 68-68
        set dst-l4port 67-67
        set comment "dhcpv4 client to server"
    next
    edit 9
        set ether-type ip
        set protocol tcp
        set src-l4port 1723-1723
        set comment "pptp src"
    next
    edit 10
        set ether-type ip
        set protocol tcp
        set dst-l4port 1723-1723
        set comment "pptp dst"
    next
    edit 11
        set status enable
        set ether-type ip
        set protocol udp
        set dst-l4port 3784-3784
        set comment "bfd control"
    next
    edit 12
        set status enable
        set ether-type ip
        set protocol udp
        set dst-l4port 3785-3785
        set comment "bfd echo"
    next
    edit 13
        set status enable
        set ether-type ipv6
        set protocol udp
        set src-l4port 547-547
        set dst-l4port 546-546
        set comment "dhcpv6 server to client"
    next
    edit 14
        set status enable
        set ether-type ipv6
        set protocol udp
        set src-l4port 546-546
        set dst-l4port 547-547
        set comment "dhcpv6 client to server"
    next
    edit 15
        set status enable
        set ether-type ipv4
        set dst-addr-ipv4 224.0.0.0 240.0.0.0
        set comment "ipv4 multicast"
    next
    edit 16
        set status enable
        set ether-type ipv6
        set dst-addr-ipv6 ff00::/8
        set comment "ipv6 multicast"
    next
    edit 17
        set ether-type ipv4
        set protocol udp
        set dst-l4port 2123-2123
        set comment "gtp-c to master blade"
    next
    edit 18
        set status enable
        set ether-type ip
        set protocol tcp
        set dst-l4port 1000-1000
        set comment "authd http to master blade"
    next
    edit 19
        set status enable
        set ether-type ip
        set protocol tcp
        set dst-l4port 1003-1003
        set comment "authd https to master blade"
    next
    edit 20
        set status enable
        set ether-type ip
        set protocol vrrp
        set priority 6
        set comment "vrrp to master blade"
    next
end

Default FortiGate-6000 and 7000 configuration for traffic that cannot be load balanced

The default configure load-balance flow-rule command contains the recommended default flow rules that control how the FortiGate-6000 or 7000 handles traffic types that cannot be load balanced. Most of the flow rules in the default configuration are enabled and are intended to send common traffic types that cannot be load balanced to the primary FPC or FPM. FortiGate-6000F, 7000E, and 7000F for FortiOS 6.2.6 have the same default flow rules.

All of the default flow rules identify the traffic type using the options available in the command and direct matching traffic to the primary (or master) FPC or FPM (action set to forward and forward-slot set to master). The default flow rules also include a comment that identifies the traffic type.

The default configuration also includes disabled flow rules for Kerberos and PPTP traffic. Normally, you would only need to enable these flow rules if you know that your FortiGate will be handling these types of traffic.

The CLI syntax below was created with the show full configuration command.

config load-balance flow-rule
    edit 1
        set ether-type ip
        set protocol udp
        set src-l4port 88-88
        set comment "kerberos src"
    next
    edit 2
        set ether-type ip
        set protocol udp
        set dst-l4port 88-88
        set comment "kerberos dst"
    next
    edit 3
        set status enable
        set ether-type ip
        set protocol tcp
        set src-l4port 179-179
        set comment "bgp src"
    next
    edit 4
        set status enable
        set ether-type ip
        set protocol tcp
        set dst-l4port 179-179
        set comment "bgp dst"
    next
    edit 5
        set status enable
        set ether-type ip
        set protocol udp
        set src-l4port 520-520
        set dst-l4port 520-520
        set comment "rip"
    next
    edit 6
        set status enable
        set ether-type ipv6
        set protocol udp
        set src-l4port 521-521
        set dst-l4port 521-521
        set comment "ripng"
    next
    edit 7
        set status enable
        set ether-type ipv4
        set protocol udp
        set src-l4port 67-67
        set dst-l4port 68-68
        set comment "dhcpv4 server to client"
    next
    edit 8
        set status enable
        set ether-type ipv4
        set protocol udp
        set src-l4port 68-68
        set dst-l4port 67-67
        set comment "dhcpv4 client to server"
    next
    edit 9
        set ether-type ip
        set protocol tcp
        set src-l4port 1723-1723
        set comment "pptp src"
    next
    edit 10
        set ether-type ip
        set protocol tcp
        set dst-l4port 1723-1723
        set comment "pptp dst"
    next
    edit 11
        set status enable
        set ether-type ip
        set protocol udp
        set dst-l4port 3784-3784
        set comment "bfd control"
    next
    edit 12
        set status enable
        set ether-type ip
        set protocol udp
        set dst-l4port 3785-3785
        set comment "bfd echo"
    next
    edit 13
        set status enable
        set ether-type ipv6
        set protocol udp
        set src-l4port 547-547
        set dst-l4port 546-546
        set comment "dhcpv6 server to client"
    next
    edit 14
        set status enable
        set ether-type ipv6
        set protocol udp
        set src-l4port 546-546
        set dst-l4port 547-547
        set comment "dhcpv6 client to server"
    next
    edit 15
        set status enable
        set ether-type ipv4
        set dst-addr-ipv4 224.0.0.0 240.0.0.0
        set comment "ipv4 multicast"
    next
    edit 16
        set status enable
        set ether-type ipv6
        set dst-addr-ipv6 ff00::/8
        set comment "ipv6 multicast"
    next
    edit 17
        set ether-type ipv4
        set protocol udp
        set dst-l4port 2123-2123
        set comment "gtp-c to master blade"
    next
    edit 18
        set status enable
        set ether-type ip
        set protocol tcp
        set dst-l4port 1000-1000
        set comment "authd http to master blade"
    next
    edit 19
        set status enable
        set ether-type ip
        set protocol tcp
        set dst-l4port 1003-1003
        set comment "authd https to master blade"
    next
    edit 20
        set status enable
        set ether-type ip
        set protocol vrrp
        set priority 6
        set comment "vrrp to master blade"
    next
end